港股 AI 概念板块专属投研顾问。结合宏观流动性、南向资金博弈与 AI 产业基本面,提供深度的个股挖掘与风控策略。
v1.0.0港股 AI 概念板块专属投研顾问。结合宏观流动性、南向资金博弈与 AI 产业基本面,提供深度的个股挖掘与风控策略。
⭐ 5· 2.7k·28 current·29 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (HK AI-sector investment research) align with the network hosts listed in SKILL.md (hkex, aastocks, finance.yahoo, futu5) and the requested read-only file access — these are reasonable for market research. However, SKILL.md also requests an OPENAI_API_KEY which is not obviously required for data scraping/analysis by the skill itself and is not declared in the registry metadata, creating an unexplained capability.
Instruction Scope
SKILL.md contains detailed runtime instructions and a permissions header that ask for network access and environment variables. The analysis steps themselves stay within market-research scope, but SKILL.md explicitly references environment variables (MARKET_DATA_API_KEY and OPENAI_API_KEY) and network hosts while the published metadata lists no required env vars or network permissions — the instructions therefore request runtime accesses that are not represented in the skill registry, which is a scope/information mismatch that should be clarified.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lowest-risk install surface (nothing downloaded or written to disk).
Credentials
SKILL.md asks for MARKET_DATA_API_KEY (plausible) and OPENAI_API_KEY (questionable). Requiring a market-data key is reasonable; requiring an OpenAI API key is unexpected because the hosting platform normally provides model invocation. The registry metadata declaring no required env vars makes this discrepancy more suspicious. The skill should justify why direct access to an external OpenAI key is needed and which market-data provider the MARKET_DATA_API_KEY is for.
Persistence & Privilege
always is false and there is no install hook or persistent configuration requested. The SKILL.md requests only read-only file access. Autonomous invocation is enabled by default on the platform and not itself a red flag here.
What to consider before installing
Before installing, ask the publisher to explain and correct the mismatch between the registry metadata and SKILL.md: SKILL.md requests two environment variables (MARKET_DATA_API_KEY and OPENAI_API_KEY) and lists network hosts, but the registry shows no required env vars. Specifically: (1) Ask why an OPENAI_API_KEY is needed — the platform normally provides model access; giving your OpenAI key could allow data to be sent to an external OpenAI account. (2) Ask which market-data provider the MARKET_DATA_API_KEY is for and whether the skill will transmit any user data to third parties. (3) Request that the registry metadata be updated to accurately list required env vars and network access, or remove those entries from SKILL.md if they are not actually used. If you cannot verify these answers, avoid providing high-privilege credentials (API keys) or installing the skill system-wide.Like a lobster shell, security has layers — review code before you run it.
latestvk975m709cscj8h5m3b66b515vn81d29d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.